Blog Comments & Posts

Working on a WordPress site comes with its own set of security vulnerabilities, and the more you know, the safer your site will be. With custom code to block intrusion attempts and boatloads of additional resources, this is your guide to thwarting any would-be attackers.

I'd love to see some data from psychology or neuroscience as to why the headlines that were most preferred were the most preferred. Clear, number headline, sentence case, 1 superlative...what makes that blend so ideal?

Also, you said you surveyed 750 people in the US. What sort of demographic mix?

I haven't experienced the site slowing deal with the SQL Injection Block...my business site consistently loads in under 1 second, and I have that on there.

The spammy query strings bit I tend to fill out by looking at log files. If someone has attempted to point links to your site with spammy query strings appended to the URLs, you can see it in the log file and then block accordingly.

I haven't heard of that plugin before, but Sucuri Security does basically the same thing, as does WP Engine if you host on there.

Preventing hackers from hacking your WP site isn't really basic. I mean, you could host your site on WPEngine and they'd sort most of this out for you. That would probably be my recommendation for those who aren't technical enough to implement all of the above recommendations.

To directly answer your question though, I don't know of a basic, beginner-centric guide to this.

Good points! I hadn't heard about the xmlrpc.php issue, so good to know. I know WPEngine partners with Sucuri, so you get the best of both worlds, so I'll be interested to see how they really pan out after I've had my sites hosted there for a while.

If I understand correctly, WPEngine disallows the use of W3 Total Cache not for security reasons, but because it conflicts with functionality that WPEngine provides. That said, W3 Total Cache did have a big security issue recently, and while promptly fixed, it goes to show that you have to be careful even with well supported plugins.

All excellent points! I can't believe I left out the admin bit :) Definitely don't use admin as your username, and if it already exists, create a different account with admin rights and delete the old Admin login. One cool thing with the Limit Login Attempts plugin is it shows you what username someone attempted to use, and 99% of the time it's Admin.

Yup, you trade security for convenience. I love WP, but it's exceptionally NOT secure out of the box. And considering WP powers many millions of websites...well, it's a field ripe for plucking. I hope this guide helps to curb some of that.

While it's helpful for remembering passwords, it's generally best to avoid basic number/character substitutions like Str0ngP@ssw0rd. Most password crackers and brute force tools account for common substitutions like that. The only exception to this rule would be if your password begins and ends with odd sequences.

!@Str0ngP@ssw0rd#$ would be better, because you can't use a standard dictionary attack with character substitutions to crack it. Each additional random character you add to the beginning or end increases the difficulty of cracking the password exponentially.

Yup, good example of security by obscurity. You can think of WP security kind of like surviving a zombie horde...you don't need to be faster than the zombies, you just need to be able to outrun someone else in your group :) Because it's impossible to make a site 100% secure, your goal should be to make your site more trouble than it's worth, and security by obscurity tricks are the first step in accomplishing that.

Unfortunately I don't know of any China or HK based hosting providers that are super secure. That said, the location of your hosting isn't terribly important if you make use of a good global CDN, so I'd consider options outside of those locations.

It's possible for a plugin to contain malware, and it's also possible for a plugin to behave in a way that can be seen as malware even if it isn't. This is just one reason why you need to be very careful when picking which plugins you're going to install. Only use reputable plugins, and use the fewest possible plugins to get the functionality you need.

I haven't used Hostgator, so I'm not sure what their server set-up is like. Most major hosts though adhere to at least the basics of server security, so if you take care of the parts that are in your control, you should be OK.